Back

@GrapheneOS

I'm very new to grapheneos and I was surprised to find accrescent and not fdroid as an installable option.

I performed some web searches (not very extensive) and found no reason for this choice (yet).

Especially with #qlango containing so many trackers (see OP) - could you elaborate your point a bit more? Why is #Accrescent favored by #GrapheneOS by offering it as an installable app and how is this privacy focused?
@klopf @rufposten

@manu @klopf @rufposten F-Droid isn't a secure or trustworthy way to obtain open source apps. We're all for having a high quality app store which only packages apps meeting a high standard, but F-Droid is definitely not that app store and almost certainly never will be. It is not in our App Store because it's not safe and the developers have clearly demonstrated they cannot be trusted. Use it at your own risk, we don't recommend it and expect it to end very badly for people who use it.

@manu @klopf @rufposten Accrescent is an alternative to the Play Store where developers can distribute their apps to users securely with objective standards put in place for privacy and security. It is not supposed to be only privacy focused apps or only open source apps. We include it as being the best way for people to get specific apps available in it. It is not included as a way for people to get a list of recommended apps. We have the Play Store in our App Store too, so what's the issue?

@manu @klopf @rufposten If you're using F-Droid to obtain open source apps, you're making a mistake and putting your privacy and security at risk. You are far better off using the builds from the open source app developers which are signed by the developers. That way, you don't have unpredictable massive delays for updates which can go on for months. You avoid the apps being built on known to be poorly maintained infrastructure with outdated tools with sketchy downstream changes to them.

@manu @klopf @rufposten Either way, you're trusting the actual developers of the apps. By getting them from F-Droid, you're getting builds made on F-Droid's sketchy infrastructure with outdated tooling where you still trust the app developers just as much (it's not as if they review the code or changes to it) but are also trusting a whole additional set of infrastructure and people who we think have quite clearly demonstrated themselves to be highly untrustworthy for multiple reasons.

@GrapheneOS @manu @klopf @rufposten Are your arguments only targeting the Official F-Droid Repository, or the Repository architecture of F-Droid in general?

E.g. when I install Molly or Newpipe via the F-Droid repositories of their developers.

@linos @manu @klopf @rufposten Molly is available in Accrescent already. If all the apps you wanted were available there, what would be the reason to use another way to obtain them? That includes whatever closed source apps people want to use. If they were in Accrescent, why get them from the Play Store? It would of course not replace the apps depending on Google Play services and the Play Store for the services it provides but it would be a start.

@GrapheneOS
Hi, thanks four your summary and the pointer to the wireguard dev comment. I'll certainly follow up on this to better gauge the extent to which I'll trust F-Droid from here on out.

I've re-read my question and I've put the emphasis too much on the absence of F-Droid. I actually wouldn't have expected it to be part of GrapheneOS in the first place because it's easy to install for anyone who's capable of installing Graphene.

However, I was stumped to see Accrescent offered prominently because it does offer apps with privacy-invasive tracking and doesn't (and has no ability to) warn users about this. Considering the low number of apps in Accrescent, this is even more surprising because they probably know details about every single app in there. The Accrescent publication requirements do not regulate online-tracking at all. While I do understand your issues with F-Droid, I still don't understand how Accrescent deserves this favored place on GrapheneOS. I don't mean to challenge your decision but I'd like to understand how it came to be.

And yes, the Play Store is also offered but that has technical reasons beyond privacy. Anyone who cares the least bit will know that it's to be used cautiously. And it doesn't explain the reasons for why Accrescent is being favored beyond promising that privacy is important to them. Google would say the same, so do the F-Droid devs.

@linos @klopf @rufposten

@GrapheneOS

P.S.: I've found this closed issue on the Accrescent github and it's very verbose on how Accrescent decides about user tracking.

I don't know if this reasoning extends to GrapheneOS but I'll share for completenes' sake:
https://github.com/accrescent/accrescent/issues/637
@linos @klopf @rufposten

@manu @GrapheneOS @klopf @rufposten Hmm, I would enjoy seeing a contributions welcome or a label that indicates that possible better solutions need to be sketched out first, rather than having a not planned label on that issue

@linos @manu @klopf @rufposten See https://github.com/accrescent/meta/issues/25. The criteria for labels have to be objective and enforceable. An open source label, reproducible build label, etc. has to be well defined. They do have it as a planned feature, but it's meant to be an alternative to the Play Store and that includes packaging apps you don't like. It wouldn't be an alternative to the Play Store if it only permitted open source apps. If people want that they'll be able to get it from it.

@linos @manu @klopf @rufposten Accrescent is also not a GrapheneOS project. It meets our standards for an app repository distributing developer builds of apps securely and was therefore included in our App Store. Other app stores meeting our standards can be included there too. F-Droid does not and will not meet our standards. It will never be included in our App Store. A secure and trustworthy implementation of a repository of only open source apps would be happily included there.